Overview

overview

10

Static

static

10

7_zip_installer.exe

windows7-x64

8

CHOCORAT.exe

windows7-x64

10

ChrisMessage.exe

windows7-x64

1

Free Porn.exe

windows7-x64

1

Gay Porn Mailer.exe

windows7-x64

1

GottaWork.exe

windows7-x64

PleaseWork.exe

windows7-x64

THING.exe

windows7-x64

7

Technoturn...AT.exe

windows7-x64

1

Verified by Visa.exe

windows7-x64

10

abwsx1.exe

windows7-x64

7

eee.exe

windows7-x64

1

hypno.exe

windows7-x64

8

mbam-setup...00.exe

windows7-x64

8

molesto.exe

windows7-x64

1

runme.exe

windows7-x64

7

setup.exe

windows7-x64

3

sevgi.exe

windows7-x64

6

shrek.exe

windows7-x64

8

upnp.exe

windows7-x64

7

virus.exe

windows7-x64

10

vmdestroyer.exe

windows7-x64

7

Analysis

  • max time kernel
    121s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    04-07-2024 17:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shrek.exe

  • Size

    1.3MB

  • MD5

    95462c3241a0da037ed1dddfbefb3212

  • SHA1

    2fc2bdbb697e8738fd8e310868fc7f10efcadd31

  • SHA256

    24cb8619b1e699e2a85aba8d2690e5649e9de525f7967676823f397c9c8e5da8

  • SHA512

    8deafbce2397061abfa73c70b4be0c96d5cddf7d43cfedd86f6a3539d260548207db21b9b55c6bbdce9fc4902e8ab5e1f383f0285b0a66fb7360d6d5adf9e1d7

  • SSDEEP

    24576:ICdxte/80jYLT3U1jfsWarVlDuNb+5KpcFaQ:Bw80cTsjkWarXuNbKD

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shrek.exe
    "C:\Users\Admin\AppData\Local\Temp\shrek.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:856
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\system32\gameux.dll,GameUXShim {20417d74-a335-47c3-a23c-b9c6ff905622};C:\Users\Admin\AppData\Local\Temp\shrek.exe;856
      2⤵
      • Blocklisted process makes network request
      • Modifies registry class
      PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\button.png
    Filesize

    1.5MB

    MD5

    0be7510d1b3d8032fd17a79ca33e330d

    SHA1

    ec07eaf88860c8846e000b961bb4878b9a389636

    SHA256

    3fb9f1f7d191ef48b38a100358af3b686747d8c1d60659a25212e26bb8960524

    SHA512

    2f9046fc1336ecfba6029761cff029a1e1bff1dfec2c9335a402b68c1a50aa68810fe45a04a42532cdfff30cb84d65073ccff9800e5de4bd7f4eb5d9541efeba

    Download Submit